Security Experts:

Easily Exploitable Vulnerability Found in Netis Routers

Routers produced by China-based networking solutions provider Netis Systems are plagued by a security hole that can be leveraged by an attacker to gain control of the devices, Trend Micro reported on Monday.

Netis Systems is part of the Netcore Group, which is headquartered in Shenzhen. Their products are sold under the Netcore brand name in China and as Netis is other parts of the world. According to the security firm, Netis/Netcore routers are exposed by a backdoor that can be easily exploited.

A remote attacker that knows the targeted router's external IP address can gain access to it through the UDP port 53413. In order to get to the actual backdoor, the attacker must enter a password, but this feature provides little protection because the password is hardcoded in the firmware. Furthermore, all Netcore/Netis routers seem to have the same password.

Trend Micro Threat Researcher Tim Yeh believes most routers are plagued by this flaw. A scan performed with ZMap, the open-source network scanner that allows researchers to conduct studies, revealed that there are two million potentially vulnerable devices. While most of them are located in China, some have been found in South Korea, Taiwan, Israel and the United States.

Once logged in, an attacker can perform a wide range of tasks, including download, upload and execute files.

"This gives the attacker near-complete control of the router. For example, settings can be modified to help carry out man-in-the-middle attacks," Yeh explained in a blog post.

Experts noted that the documentation for these Netcore/Netis routers doesn't mention anything about the backdoor and what it might be used for. Trend Micro said it reported the existence of the flaw to the manufacturer but received no response. SecurityWeek has also reached out to the company, but hasn't heard back by press time.

The security firm says users can't do much to address the issue. The best option is to stop using the vulnerable devices. The easiest way to determine if a router is affected is to probe port 53413 with an online scanner.

Vulnerabilities in small office/home office (SOHO) routers are not uncommon. At the SOHOpelessly Broken contest that took place at the DefCon 22 security conference, researchers reported a total of 15 zero-day flaws.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.